Defending against Model Stealing via Verifying Embedded External Features

Last update: Dec 30, 2022

Related tags

Overview

Defending against Model Stealing Attacks via Verifying Embedded External Features

This is the official implementation of our paper Defending against Model Stealing Attacks via Verifying Embedded External Features, accepted by the AAAI Conference on Artificial Intelligence (AAAI), 2022. This research project is developed based on Python 3 and Pytorch, created by Yiming Li and Linghui Zhu.

Pipeline

Requirements

To install requirements:

pip install -r requirements.txt

Make sure the directory follows:

stealingverification
├── data
│   ├── cifar10
│   └── ...
├── gradients_set 
│   
├── prob
│   
├── network
│   
├── model
│   ├── victim
│   └── ...
|

Dataset Preparation

Make sure the directory data follows:

data
├── cifar10_seurat_10%
|   ├── train
│   └── test
├── cifar10  
│   ├── train
│   └── test
├── subimage_seurat_10%
│   ├── train
|   ├── val
│   └── test
├── sub-imagenet-20
│   ├── train
|   ├── val
│   └── test

📋 Data Download Link:
data

Model Preparation

Make sure the directory model follows:

model
├── victim
│   ├── vict-wrn28-10.pt
│   └── ...
├── benign
│   ├── benign-wrn28-10.pt
│   └── ...
├── attack
│   ├── atta-label-wrn16-1.pt
│   └── ...
└── clf

📋 Model Download Link:
model

Collecting Gradient Vectors

Collect gradient vectors of victim and benign model with respect to transformed images.

CIFAR-10:

python gradientset.py --model=wrn16-1 --m=./model/victim/vict-wrn16-1.pt --dataset=cifar10 --gpu=0
python gradientset.py --model=wrn28-10 --m=./model/victim/vict-wrn28-10.pt --dataset=cifar10 --gpu=0
python gradientset.py --model=wrn16-1 --m=./model/benign/benign-wrn16-1.pt --dataset=cifar10 --gpu=0
python gradientset.py --model=wrn28-10 --m=./model/benign/benign-wrn28-10.pt --dataset=cifar10 --gpu=0

ImageNet:

python gradientset.py --model=resnet34-imgnet --m=./model/victim/vict-imgnet-resnet34.pt --dataset=imagenet --gpu=0
python gradientset.py --model=resnet18-imgnet --m=./model/victim/vict-imgnet-resnet18.pt --dataset=imagenet --gpu=0
python gradientset.py --model=resnet34-imgnet --m=./model/benign/benign-imgnet-resnet34.pt --dataset=imagenet --gpu=0
python gradientset.py --model=resnet18-imgnet --m=./model/benign/benign-imgnet-resnet18.pt --dataset=imagenet --gpu=0

Training Ownership Meta-Classifier

To train the ownership meta-classifier in the paper, run these commands:

CIFAR-10:

python train_clf.py --type=wrn28-10 --dataset=cifar10 --gpu=0
python train_clf.py --type=wrn16-1 --dataset=cifar10 --gpu=0

ImageNet:

python train_clf.py --type=resnet34-imgnet --dataset=imagenet --gpu=0
python train_clf.py --type=resnet18-imgnet --dataset=imagenet --gpu=0

Ownership Verification

To verify the ownership of the suspicious models, run this command:

CIFAR-10:

python ownership_verification.py --mode=source --dataset=cifar10 --gpu=0 

#mode: ['source','distillation','zero-shot','fine-tune','label-query','logit-query','benign']

ImageNet:

python ownership_verification.py --mode=logit-query --dataset=imagenet --gpu=0 

#mode: ['source','distillation','zero-shot','fine-tune','label-query','logit-query','benign']

An Example of the Result

python ownership_verification.py --mode=fine-tune --dataset=cifar10 --gpu=0 

result:  p-val: 1.9594572166549425e-08 mu: 0.47074130177497864

Reference

If our work or this repo is useful for your research, please cite our paper as follows:

@inproceedings{li2022defending,
  title={Defending against Model Stealing via Verifying Embedded External Features},
  author={Li, Yiming and Zhu, Linghui and Jia, Xiaojun and Jiang, Yong and Xia, Shu-Tao and Cao, Xiaochun},
  booktitle={AAAI},
  year={2022}
}

Defending against Model Stealing via Verifying Embedded External Features

Related tags

Overview

Defending against Model Stealing Attacks via Verifying Embedded External Features

Pipeline

Requirements

Dataset Preparation

Model Preparation

Collecting Gradient Vectors

Training Ownership Meta-Classifier

Ownership Verification

An Example of the Result

Reference

Owner

Neural machine translation between the writings of Shakespeare and modern English using TensorFlow

CVPR 2022 "Online Convolutional Re-parameterization"

ECLARE: Extreme Classification with Label Graph Correlations

An open-source outlier detection package by Getcontact Data Team

The implemetation of Dynamic Nerual Garments proposed in Siggraph Asia 2021

Rendering Point Clouds with Compute Shaders

PyTorch implementation of the Pose Residual Network (PRN)

Neural Fixed-Point Acceleration for Convex Optimization

Smart edu-autobooking - Johnson @ DMI-UNICT study room self-booking system

Code for Recurrent Mask Refinement for Few-Shot Medical Image Segmentation (ICCV 2021).

An Implementation of Transformer in Transformer in TensorFlow for image classification, attention inside local patches

A Python toolbox to create adversarial examples that fool neural networks in PyTorch, TensorFlow, and JAX

(Python, R, C/C++) Isolation Forest and variations such as SCiForest and EIF, with some additions (outlier detection + similarity + NA imputation)

Video Instance Segmentation using Inter-Frame Communication Transformers (NeurIPS 2021)

Some simple programs built in Python: webcam with cv2 that detects eyes and face, with grayscale filter

[ICCV 2021] Amplitude-Phase Recombination: Rethinking Robustness of Convolutional Neural Networks in Frequency Domain

An index of recommendation algorithms that are based on Graph Neural Networks.

C3DPO - Canonical 3D Pose Networks for Non-rigid Structure From Motion.

SE3 Pose Interp - Interpolate camera pose or trajectory in SE3, pose interpolation, trajectory interpolation

This is the code for the paper "Jinkai Zheng, Xinchen Liu, Wu Liu, Lingxiao He, Chenggang Yan, Tao Mei: Gait Recognition in the Wild with Dense 3D Representations and A Benchmark. (CVPR 2022)"